United States: SEC Proposes Rules Under Sarbanes-Oxley on Internal Controls, Financial Experts, Auditor Interference and Codes of Ethics

Proposed Rules Relating to Internal Control Reports and Evaluations

Overview. Section 404 of the Sarbanes-Oxley Act of 2002 established requirements for issuers to include in their annual reports on Form 10-K an internal controls report that (i) describes management’s responsibilities with respect to internal controls procedures and (ii) contains an assessment of the effectiveness of those procedures, and also for auditors to attest to management’s assessment. The rules now proposed by the SEC to implement those provisions go beyond the express requirements of Section 404, and would require management (i) to evaluate internal controls on a quarterly basis, (ii) to report the results of that evaluation in quarterly and annual SEC reports, and (iii) to make additional certifications regarding internal controls. These evaluation, reporting and certification proposals are in addition to similar requirements for "disclosure controls and procedures" that are currently in effect, as described in our September 5, 2002 Securities Legal Alert regarding CEO/CFO certifications of periodic SEC reports. As we related in that previous Alert, "disclosure controls" is a new and broader concept that relates to the handling of all information (not just financial) required for SEC reports.

Internal Controls Definition. The SEC has defined the term "internal controls and procedures for financial reporting" consistently with existing definitions under generally accepted auditing standards (GAAP). The term refers to controls pertaining to the preparation of financial statements for external purposes that are fairly presented in conformity with GAAP. The SEC believes the purpose of internal controls should be to ensure that each issuer has processes designed to provide reasonable assurance that:

• the issuer’s transactions are properly authorized;
• the issuer’s assets are safeguarded against unauthorized or improper use; and
• the issuer’s transactions are properly recorded and reported to permit the preparation of GAAP financial statements.

Management and Auditor Reports. Under the proposed rules, issuers would be required to include in their 10-K reports an internal controls report of management that contains:

• a statement of management’s responsibilities for establishing and maintaining adequate "internal controls and procedures for financial reporting;"
• conclusions about the effectiveness of the issuer’s internal controls, based on management’s evaluation of those controls and procedures as of the end of the issuer’s most recent fiscal year; and
• a statement that the issuer’s auditor has attested to, and reported on, management’s evaluation of the issuer’s internal controls.

The auditor’s attestation report would be issued in accordance with auditing standards to be adopted by the Public Company Accounting Oversight Board established pursuant to the Act. Although issuers can voluntarily obtain an attestation report on internal controls under current auditing standards, few companies have done so to date.

Quarterly Evaluations. The proposed rules would also require that an issuer’s management, with the participation of its CEO and CFO, conduct an evaluation of the design and operation of the issuer’s internal controls as of the end of the period covered by quarterly and annual reports. The CEO’s and CFO’s conclusions about the effectiveness of the issuer’s internal controls would be disclosed in the relevant quarterly or annual report. This is separate from, and in addition to, the internal controls report that is required annually.

CEO/CFO Certifications. Pursuant to other provisions of the Act, CEOs and CFOs currently must provide certifications regarding internal controls in quarterly and annual SEC reports, addressing significant deficiencies or material weaknesses in internal controls, any occurrence of fraud, and significant changes to internal controls since the previous evaluation. The proposed rules would also require the CEO and CFO to certify in such reports that they:

• are responsible for establishing and maintaining internal controls;
• have designed such internal controls (or caused them to be designed) to provide reasonable assurances that the financial statements are fairly presented in conformity with GAAP;
• have evaluated the effectiveness of the internal controls as of the end of the period covered by the report; and
• have presented in the report their conclusions about the effectiveness of the internal controls based on that evaluation.

Timing. Comments on these proposed rules are due by November 29, 2002. No deadline has been proposed for the effective date of these rules. However, as proposed, the rules concerning internal controls reports would apply only to issuers whose fiscal years end on or after September 15, 2003, and the amended CEO/CFO certifications would apply beginning with the first annual report that includes an internal controls report.

Overview. Section 303 of the Act makes it unlawful for any officer or director of an issuer, or any other person acting under their direction, to take any action to fraudulently influence, coerce, manipulate or mislead auditors for the purpose of rendering financial statements materially misleading. The SEC’s proposed rules implementing these provisions are far-reaching, in that the SEC has indicated that persons "acting under the direction" of officers or directors could include parties such as customers, vendors or creditors of an issuer who, under the influence of an officer or director, provide false or misleading information to auditors, or who enter into side agreements with the issuer (for example, with respect to the purchase of goods at the end of a given period). The rules also might cover other partners or employees of the auditor (such as accounting consultants retained by an issuer) and attorneys, securities professionals or other advisors who, for example, pressure an auditor to limit the scope of an audit or to issue an unqualified report on the financial statements when such a report would be unwarranted, or who fail to object to inappropriate accounting treatment.

Scope of Conduct. Types of conduct that the SEC believes could constitute improper influence include:

• offering or paying bribes or other financial incentives, including offering future employment or contracts for non-audit services;
• providing an auditor with inaccurate or misleading legal analysis;
• threatening to cancel, or canceling, existing non-audit or audit engagements if the auditor objects to the issuer’s accounting;
• seeking to have a partner removed from the audit engagement because the partner objects to the issuer’s accounting;
• blackmailing; and
• making physical threats.

The SEC also extends the scope of the Act’s prohibition to include "improper" (in addition to "fraudulent") actions to influence auditors. Thus, under the SEC’s proposals, intentional conduct would not be required to prove liability; instead, a person could be liable if he or she takes action knowing, or being unreasonable in not knowing, that the improper influence could if successful result in rendering financial statements materially misleading.

The rules as proposed would encompass activities both before the beginning of an audit and after the audit is completed. For example, the proposed rules would apply if an officer or director of an issuer offers to engage an auditor on the condition that the firm limit the scope or performance of audit or review procedures in violation of generally accepted auditing standards. Similarly, the proposed rules would apply to periods subsequent to the professional engagement period when the auditor is considering whether to issue a consent on the use of prior years’ audit reports.

Timing. Comments on these proposed rules are due by November 25, 2002. The Act requires the SEC to issue final rules by April 26, 2003.

Overview. Section 407 of the Act requires an issuer to disclose in its annual report on Form 10-K whether the issuer has at least one "financial expert" on its audit committee, and, if not, to provide the reason why. The SEC’s proposed rules implementing that provision would also require each issuer to provide the name of each financial expert and the total number of financial experts on the audit committee. The rules also would require each issuer to affirm that each financial expert is independent of management, as determined by the issuer’s board of directors, or provide the reasons why the person is not.

Definition. The proposed rules define a "financial expert" as a person who has -- through education and experience as a public accountant or auditor or a principal financial officer, controller or principal accounting officer of a reporting issuer, or experience in one or more positions involving similar functions -- the following attributes:

• an understanding of GAAP and financial statements;
• experience applying GAAP in connection with the accounting for estimates, accruals and reserves that are generally comparable to the estimates, accruals and reserves, if any, used in the financial statements of the issuer;
• experience preparing or auditing financial statements that present accounting issues that are generally comparable to those raised by the issuer’s financial statements;
• experience with internal controls and procedures for financial reporting; and
• an understanding of audit committee functions.

These requirements are far more stringent than those proposed by the NYSE and NASDAQ. The SEC proposals would require a financial expert to have obtained all of the above attributes from work with publicly-traded companies. Although the specific standards differ, the NYSE and NASDAQ proposals require only that one member of an issuer’s audit committee have a relatively moderate level of financial sophistication, and do not require such member to have previously worked with public companies.

Evaluation and Scope of Experience. Under the proposed rules, in determining whether a director is a financial expert, an issuer’s board of directors would be required to evaluate the totality of his or her education and experience, including certain factors the SEC suggests the board consider. The SEC indicated that a person’s previous service on an audit committee would not, by itself, justify a determination that the person is a financial expert under the proposed definition. On the other hand, under the proposed rules, a director could be found to be sufficiently knowledgeable in financial and accounting matters, without having held any of the specified positions, if he or she has experience in a position that the board determines has provided the person with similar expertise and experience.

Standards of Conduct. The SEC indicated that it does not intend that a financial expert have a higher level of responsibility than other members of the audit committee, or that a financial expert automatically be considered an "expert" for purposes of liability under Section 11 of the Securities Act. The SEC also emphasized that the inclusion of a financial expert on an audit committee will not decrease the duties of the other committee members.

Timing. Comments on these proposed rules are due by November 29, 2002. The Act requires the SEC to issue final rules by January 26, 2003.

Overview. Under Section 406 of the Act, issuers will be required to disclose in their annual reports on Form 10-K whether they have adopted a written code of ethics for senior financial officers, and if not, to provide the reason why. The SEC’s proposed rules implementing those provisions would require issuers to disclose whether they have adopted a code that covers their CEO, CFO, chief accounting officer and controller, or persons performing similar functions, and to file the code as an exhibit to the annual report. The addition of the CEO to the covered officers expanded the scope of officers covered by the Act. The proposals also specifically require disclosure of any amendments or waivers of the code in a current report on Form 8-K or on the issuer’s website within two business days after the occurrence.

Code of Ethics Content. Although the proposed rules do not include every subject that the issuer must address in its code of ethics, or prescribe specific language, they do specify the minimum content of the code. The SEC defines the term "code of ethics" to mean a codification of standards that is reasonably designed to deter wrongdoing and to promote:

• honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest;
• avoidance of conflicts of interest, including disclosure to appropriate persons designated in the code of potential conflicts;
• full, fair, accurate, timely and understandable public disclosure, in SEC reports or otherwise;
• legal and regulatory compliance;
• prompt internal reporting, to appropriate persons designated in the code, of code violations; and
• accountability for adherence to the code.

The code should also clearly state the consequences for non-adherence.

Many issuers previously have adopted codes of ethics or business conduct that apply to a broader group of employees than the persons covered by these rules. Such codes might already contain standards that meet the SEC’s minimum content, in which case no amendment will be necessary. In fact, the proposed rules do not require changes to existing codes even if they do not meet the SEC’s standards. However, just as they must disclose and explain the absence of any code of ethics, issuers with a non-conforming code would be required to disclose the reasons why they do not maintain a conforming code.

Reporting of Changes and Waivers. As noted, under the proposed rules, each issuer must disclose on Form 8-K or by a posting to the issuer’s website any change to, or waiver from, the code of ethics for its senior financial officers within two business days after the occurrence. Issuers would be required to disclose not only specifically approved waivers, but also implicit waivers resulting from the issuer’s inaction with respect to a reported or known violation of the code. Under the proposed rules, an issuer may take advantage of the website dissemination option only if it disclosed in its most recently filed annual report on Form 10-K that it intends to disclose these events on its website and provided its website address. Website disclosure would be required to be available for a period of at least 12 months after initial posting, and archived waiver information would be required to be retained for five years.

Centralized Monitoring. The proposed rules would require issuers to designate an "appropriate person" to receive reports of code violations and potential conflicts of interest. While the proposals would allow each issuer to choose the identity of that person, the SEC indicated that the person "should have sufficient status within the company to engender respect for the code and the authority to adequately deal with the persons subject to the code regardless of their stature in the company."

Timing. Comments on these proposed rules are due by November 29, 2002. The Act requires the SEC to issue final rules by January 26, 2003.